IN THE CLAIMS: 



1. (Previously Presented) A computer implemented method in a data processing 
system for managing access to resources, the method comprising: 

responsive to matching an entry in an access control list of a specific resource 
with credentials of a process, granting a security identifier given by the access control list 
to the process, wherein the security identifier has no meaning outside of being used to 
make an access decision for the specific resource, wherein granting the security identifier 
further comprises: 

adding the security identifier to the credentials of the process to form an 
object access identifier, wherein the object access identifier is granted based on a path of 
execution; 

limiting a scope of the security identifier to an application space, wherein 
access rights associated with the security identifier are limited to a specific 
application, and wherein propagation of access rights is prevented by specifying 
the access rights are limited to the specific application; and 

responsive to granting the security identifier to the process, identifying the 
security identifier as an unavailable security identifier that is no longer available 
to be granted to other processes, wherein the security identifier is not reused; and 
responsive to the process requesting access to the specific resource, generating the 
access decision based on the security identifier. 

2. (Cancelled) 

3. (Previously Presented) The computer implemented method of claim 1, wherein 
granting a security identifier given by the access control list to the process further 
comprises: 

granting the security identifier to the credentials of the process based on an 
identity of the process and a second process invoked by the process, wherein the 
credentials of the process are modified based on the identity of the process and the path 
of execution by which the process is executed. 

Page 2 of 5 
Basibes efal. - 10/672,261 



4. (Previously Presented) The computer implemented method of claim 1 , wherein 
granting a security identifier given by the access control list to the process further 
comprises 

setting the security identifier in an access control list operation. 

5. (Previously Presented) The computer implemented method of claim 1 further 
comprising: 

changing the security identifier in response to the process invoking a selected 
resource. 

6. (Previously Presented) The computer implemented method of claim 1, wherein 
generating the access decision based on the security identifier further comprises: 

using the security identifier as an identity in an access control list to identify a 
right to the specific resource. 

7. (Previously Presented) The computer implemented method of claim 1, wherein 
the entry in the access control list is a first entry and wherein generating the access 
decision based on the security identifier further comprises: 

comparing a second entry in the access control list with the credentials of the 
process; and 

responsive to the second entry matching the security identifier in the credentials 
of the process, generating an access decision that grants the process access to the specific 
resource, wherein the security identifier is a right in an access control list. 

8-22. (Canceled) 

23. (Previously presented) The computer implemented method of claim 1 wherein the 
security identifier uniquely identifies the path of execution taken by the process and 
further comprising: 
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granting a different security identifier to the process based on a different path of 
execution taken by the process, wherein each security identifier granted to the process 
represents a different path of execution taken by the process. 

24. (Previously presented) The computer implemented method of claim 23 further 
comprising: 

examining a plurality of security identifiers added to the credentials of the process 
to uniquely identify execution states associated with the process. 

25. (Previously presented) The computer implemented method of claim 1 further 
comprising: 

tracking paths of execution for the process using security identifiers added to the 
credentials of the process to form execution path information; and 

conveying the execution path information to a subsequent trusted process. 
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